如何使用Java验证证书是否为EV证书?
考虑以下示例代码,它使用一个如何使用Java验证证书是否为EV证书?,java,ssl,certificate,Java,Ssl,Certificate,考虑以下示例代码,它使用一个TrustManager来记录传出连接是否使用了有效的证书(但在所有情况下都接受该连接): 在checkClientTrusted方法中,我需要做什么来检查该证书是扩展验证证书(现代浏览器中的绿色地址栏)还是普通证书(黄色地址栏) 编辑: 我试图让一个CertPathValidator工作,但不知何故,我只得到关于证书不是CA证书的异常。。。有什么想法吗 edit2:使用PKIXParameters而不是PKIXBuilderParameters private bo
TrustManagercheckClientTrustedCertPathValidatorPKIXParametersPKIXBuilderParametersprivate boolean isEVCertificate(X509Certificate[] certs, String authType) {
try {
CertPath cp = new X509CertPath(Arrays.asList(certs));
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(new File(System.getProperty("java.home"), "lib/security/cacerts")), null);
PKIXParameters cpp = new PKIXParameters(ks);
cpp.setRevocationEnabled(false);
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
PKIXCertPathValidatorResult res = (PKIXCertPathValidatorResult) cpv.validate(cp, cpp);
System.out.println(res.getTrustAnchor().getCAName());
System.out.println(res.getPolicyTree().getValidPolicy());
System.out.println(cp);
return false;
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
}
www.paypal.combanking.dkb.de但是,即使使用Paypal.com,信任锚getCAName也会返回null,因此我如何知道它是根据哪个CA验证的,以便查找正确的EV策略?首先,您需要一个发卡机构名称及其相应的EV策略标识符的表 CA颁发证书时,他们可以记录颁发证书所依据的策略。此策略的标识符由颁发者分配,因此您需要颁发者及其EV策略的列表 然后,您将需要从服务器证书获取策略。了解有关策略的一般信息及其工作方式的更多信息 您需要验证证书链以获得
PKIxCertPathValidator结果。下面是检查证书路径结果的详细示例
private static final Map<X500Principal, String> policies = new HashMap<X500Principal, String>();
static {
/*
* It would make sense to populate this map from Properties loaded through
* Class.getResourceAsStream().
*/
policies.put(
new X500Principal("OU=Class 3 Public Primary Certification Authority,O=VeriSign\\, Inc.,C=US"),
"2.16.840.1.113733.1.7.23.6"
);
// ...
}
static boolean isEV(PKIXCertPathValidatorResult result)
{
/* Determine the policy to look for. */
X500Principal root = result.getTrustAnchor().getTrustedCert().getSubjectX500Principal();
String policy = policies.get(root);
if (policy == null)
/* The EV policy for this issuer is unknown (or there is none). */
return false;
/* Traverse the tree, looking at its "leaves" to see if the end-entity
* certificate was issued under the corresponding EV policy. */
PolicyNode tree = result.getPolicyTree();
Deque<PolicyNode> stack = new ArrayDeque<PolicyNode>();
stack.push(tree);
while (!stack.isEmpty()) {
PolicyNode current = stack.pop();
Iterator<? extends PolicyNode> children = current.getChildren();
int leaf = stack.size();
while (children.hasNext())
stack.push(children.next());
if (stack.size() == leaf) {
/* If the stack didn't grow, there were no "children". I.e., the
* current node is a "leaf" node of the policy tree. */
if (current.getValidPolicy().equals(policy))
return true;
}
}
/* The certificate wasn't issued under the authority's EV policy. */
return false;
}
private static final Map policies=new HashMap();
静止的{
/*
*从通过加载的属性填充此映射是有意义的
*Class.getResourceAsStream()。
*/
政策,付诸表决(
新X500主体(“OU=3级公共初级认证机构,O=VeriSign\\,Inc.,C=US”),
"2.16.840.1.113733.1.7.23.6"
);
// ...
}
静态布尔isEV(PKIXCertPathValidatorResult)
{
/*确定要查找的策略*/
X500Principal root=result.getTrustedAnchor().getTrustedCert().getSubjectX500Principal();
字符串policy=policies.get(root);
如果(策略==null)
/*该发行人的电动汽车政策未知(或没有)*/
返回false;
/*遍历树,查看其“叶子”,以查看结束实体
*证书是根据相应的电动汽车政策颁发的*/
PolicyNode tree=result.getPolicyTree();
Deque stack=new ArrayDeque();
栈。推(树);
而(!stack.isEmpty()){
PolicyNode current=stack.pop();
迭代器EDIT:发布附加代码
如果您使用Sun的X509实现,您可以这样做
CertificatePoliciesExtension ext = ((X509CertImpl)cert).getCertificatePoliciesExtension();
List<PolicyInformation> policies = (List<PolicyInformation>)ext.get(CertificatePoliciesExtension.POLICIES);
boolean evCert = false;
for (PolicyInformation info : policies) {
CertificatePolicyId id = info.getPolicyIdentifier();
if (isEVPolicy(id)) {
evCert = true;
break;
}
}
......
public static ObjectIdentifier[] EV_POLICIES;
static {
try {
EV_POLICIES = new ObjectIdentifier[] {
new ObjectIdentifier("2.16.840.1.113733.1.7.23.6"), // Verisign
new ObjectIdentifier("1.3.6.1.4.1.14370.1.6"), // Geo-Trust of Verisign
new ObjectIdentifier("2.16.840.1.113733.1.7.48.1") // Thawte
};
} catch (IOException e) {
throw new IllegalStateException("Invalid OIDs");
}
}
private boolean isEVPolicy(CertificatePolicyId id) {
for (ObjectIdentifier oid : EV_POLICIES) {
if (oid.equals((Object)id.getIdentifier()))
return true;
}
return false;
}
CertificatePolicyExtension ext=((X509CertImpl)cert).getCertificatePolicyExtension();
列表策略=(列表)ext.get(CertificatePolicyExtension.Policys);
布尔evCert=false;
对于(策略信息:策略){
CertificatePolicyId=info.getPolicyIdentifier();
如果(ISEVpolicity(id)){
evCert=真;
打破
}
}
......
公共静态对象标识符[]EV_策略;
静止的{
试一试{
EV_策略=新对象标识符[]{
新的ObjectIdentifier(“2.16.840.1.113733.1.7.23.6”),//Verisign
新的ObjectIdentifier(“1.3.6.1.4.1.14370.1.6”),//Verisign地理信托
新的目标标识符(“2.16.840.1.113733.1.7.48.1”)//Thawte
};
}捕获(IOE异常){
抛出新的非法状态异常(“无效OID”);
}
}
私有布尔isEVPolicy(CertificatePolicyId){
用于(ObjectIdentifier oid:EV_策略){
if(oid.equals((对象)id.getIdentifier())
返回true;
}
返回false;
}
我们只允许来自3个CA的EV证书。您可以在该阵列中添加更多EV OID。您可以从中获得OID的完整列表
我终于让它工作了……下面是一个运行的最小示例,显示了所有逻辑和检查。是的,它适用于banking.dkb.de
:-)
感谢所有帮助我的人。欢迎对明显的安全漏洞或其他任何东西(除了代码样式或缺少错误处理;我努力将代码压缩到可运行代码的绝对最小值)发表任何评论,因此请随时发表评论:)
import java.io.*;
导入java.security.*;
导入java.security.cert.*;
导入java.util.*;
导入javax.net.ssl.*;
导入javax.security.auth.x500.x500主体;
公共类CertChecker实现X509TrustManager{
私人最终X509TrustManager defaultTM;
public CertChecker()引发GeneralSecurityException{
TrustManagerFactory tmf=TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
init((密钥库)null);
defaultTM=(X509TrustManager)tmf.getTrustManager()[0];
}
public void checkServerTrusted(X509Certificate[]证书,字符串authType){
如果(defaultTM!=null){
试一试{
defaultTM.checkServerTrusted(证书、authType);
if(isEVCertificate(certs))
System.out.println(“EV证书:+certs[0].getSubjectX500Principal().getName()+”由“+certs[0].getIssuerX500Principal().getName()颁发);
System.out.println(“有效证书”);
}捕获(证书例外){
System.out.println(“证书无效:+ex.getMessage());
}
}
}
专用布尔isEVCertificate(X509Certificate[]证书){
试一试{
CertificatePoliciesExtension ext = ((X509CertImpl)cert).getCertificatePoliciesExtension();
List<PolicyInformation> policies = (List<PolicyInformation>)ext.get(CertificatePoliciesExtension.POLICIES);
boolean evCert = false;
for (PolicyInformation info : policies) {
CertificatePolicyId id = info.getPolicyIdentifier();
if (isEVPolicy(id)) {
evCert = true;
break;
}
}
......
public static ObjectIdentifier[] EV_POLICIES;
static {
try {
EV_POLICIES = new ObjectIdentifier[] {
new ObjectIdentifier("2.16.840.1.113733.1.7.23.6"), // Verisign
new ObjectIdentifier("1.3.6.1.4.1.14370.1.6"), // Geo-Trust of Verisign
new ObjectIdentifier("2.16.840.1.113733.1.7.48.1") // Thawte
};
} catch (IOException e) {
throw new IllegalStateException("Invalid OIDs");
}
}
private boolean isEVPolicy(CertificatePolicyId id) {
for (ObjectIdentifier oid : EV_POLICIES) {
if (oid.equals((Object)id.getIdentifier()))
return true;
}
return false;
}
import java.io.*;
import java.security.*;
import java.security.cert.*;
import java.util.*;
import javax.net.ssl.*;
import javax.security.auth.x500.X500Principal;
public class CertChecker implements X509TrustManager {
private final X509TrustManager defaultTM;
public CertChecker() throws GeneralSecurityException {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore)null);
defaultTM = (X509TrustManager) tmf.getTrustManagers()[0];
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
if (defaultTM != null) {
try {
defaultTM.checkServerTrusted(certs, authType);
if (isEVCertificate(certs))
System.out.println("EV Certificate: "+ certs[0].getSubjectX500Principal().getName() + " issued by " + certs[0].getIssuerX500Principal().getName());
System.out.println("Certificate valid");
} catch (CertificateException ex) {
System.out.println("Certificate invalid: " + ex.getMessage());
}
}
}
private boolean isEVCertificate(X509Certificate[] certs) {
try {
// load keystore with trusted CA certificates
KeyStore cacerts = KeyStore.getInstance("JKS");
cacerts.load(new FileInputStream(new File(System.getProperty("java.home"), "lib/security/cacerts")), null);
// build a cert selector that selects the first certificate of the certificate chain
// TODO we should verify this against the hostname...
X509CertSelector targetConstraints = new X509CertSelector();
targetConstraints.setSubject(certs[0].getSubjectX500Principal());
// build a cert path from our selected cert to a CA cert
PKIXBuilderParameters params = new PKIXBuilderParameters(cacerts, targetConstraints);
params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(certs))));
params.setRevocationEnabled(false);
CertPath cp = CertPathBuilder.getInstance("PKIX").build(params).getCertPath();
// validate the cert path
PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) CertPathValidator.getInstance("PKIX").validate(cp, params);
return isEV(result);
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
}
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
public X509Certificate[] getAcceptedIssuers() { return null;}
public static void main(String[] args) throws Exception {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, new TrustManager[] {new CertChecker()}, new SecureRandom());
SSLSocketFactory ssf = (SSLSocketFactory) sc.getSocketFactory();
((SSLSocket)ssf.createSocket(args[0], 443)).startHandshake();
}
private static final Map<X500Principal, String> policies = new HashMap<X500Principal, String>();
static {
// It would make sense to populate this map from Properties loaded through
// Class.getResourceAsStream().
policies.put(
new X500Principal("OU=Class 3 Public Primary Certification Authority,O=VeriSign\\, Inc.,C=US"),
"2.16.840.1.113733.1.7.23.6"
);
// TODO add more certificates here
}
// based on http://stackoverflow.com/questions/1694466/1694720#1694720
static boolean isEV(PKIXCertPathValidatorResult result)
{
// Determine the policy to look for.
X500Principal root = result.getTrustAnchor().getTrustedCert().getSubjectX500Principal();
System.out.println("[Debug] Found root DN: "+root.getName());
String policy = policies.get(root);
if (policy != null)
System.out.println("[Debug] EV Policy should be: "+policy);
// Traverse the tree, looking at its "leaves" to see if the end-entity
// certificate was issued under the corresponding EV policy.
PolicyNode tree = result.getPolicyTree();
if (tree == null)
return false;
Deque<PolicyNode> stack = new ArrayDeque<PolicyNode>();
stack.push(tree);
while (!stack.isEmpty()) {
PolicyNode current = stack.pop();
Iterator<? extends PolicyNode> children = current.getChildren();
int leaf = stack.size();
while (children.hasNext())
stack.push(children.next());
if (stack.size() == leaf) {
System.out.println("[Debug] Found policy: " + current.getValidPolicy());
// If the stack didn't grow, there were no "children". I.e., the
// current node is a "leaf" node of the policy tree.
if (current.getValidPolicy().equals(policy))
return true;
}
}
// The certificate wasn't issued under the authority's EV policy.
return false;
}
}